[FB-Discuss] Static SQL analysis in Strings passed to JDBC

Lukas Eder lukas.eder at gmail.com
Wed Sep 5 03:20:25 EDT 2012


Hello,

I have recently discovered this nice Eclipse plugin here:
http://code.google.com/p/alvor/

It evaluates String, StringBuilder, StringBuffer, CharSequence and
many other types passed to JDBC method for subsequent execution. It
doesn't do a bad job at this, even if it is in beta mode. The rate of
false positives is around 20% for regular SQL statements, and 100% for
stored procedure calls (which seem not to be supported). Checks
include:

- Syntax correctness
- Semantics correctness
- Object availability

It does so by

- Comparing SQL against its own internal SQL grammar
- Checking SQL statements against an actual database (provided a JDBC
driver, JDBC URL, user, password)

This is extremely powerful, as it can find common bugs resulting from
bad SQL string concatenation, misspelled table / column names, type
mismatches, etc. With findbugs' capabilities of analysing control
flows, this could be made even better to detect even remote
corner-cases or SQL passed to methods for the concatenation of
sub-clauses and sub-selects

Maybe a cooperation with Alvor would be interesting to FindBugs?


More information about the Findbugs-discuss mailing list